Wednesday, November 10, 2010

Police access to encrypted files: Does the Anglo case show up a gap in the legislation?


According to today's Irish Independent the Anglo investigation is being held up by encrypted files:
Gardai are unable to examine more than 100 key files in their investigation into Anglo Irish Bank because former senior executives have not handed over the computer passwords.

Former Anglo staff hold passwords to about 200 documents vital to the inquiries being carried out jointly by the Garda Fraud Bureau and the Director of Corporate Enforcement.

The passwords for around a third of the encrypted documents have been produced so far by the bank. But Anglo admitted it has been unable up to now to secure the rest.

Among the former employees being contacted by Anglo to establish if they have knowledge of the missing passwords is its ex-chairman Sean FitzPatrick.

Gardai are using state-of-the-art technology to crack the password puzzle and are confident they will be able to gain access to all of the key documents.

But they indicated yesterday that the absence of the passwords was one of the factors which have delayed the completion of their inquiries.
In light of this story it might be worth considering the legal position governing police access to such files and whether or not the former bank officials mentioned might be compelled to assist in decrypting them.

Background

Irish law generally doesn't require disclosure of passwords or private keys to police - see e.g. section 28 of the Electronic Commerce Act 2000. (This is in contrast to the position in the UK, where there is a wide power to order key disclosure and it is an offence to fail to disclose - see here for an example of such an order.)

However, there are specific Garda powers under the Criminal Justice (Theft and Fraud Offences) Act 2001 which are relevant. Will they apply to the facts of this particular case?

Search warrants

The first power is contained in section 48 of the Act, which deals with search warrants and provides that:
A member of the Garda Síochána acting under the authority of a warrant under this section may—

(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.
Consequently search warrants under this section can have the effect of requiring individuals to provide passwords or to decrypt information (to provide it in a "visible and legible" form). However, this power wouldn't apply in the context of the Anglo investigation insofar as it only applies to any "person at the place which is being searched". Former bank employees who are sipping brandy at home can't be required to assist in the decryption process.

Evidence orders

At first glance, the section 52 power would appear to be more promising. That section provides that:
(2) A judge of the District Court, on hearing evidence on oath given by a member of the Garda Síochána, may, if he or she is satisfied that—

(a) the Garda Síochána are investigating an offence to which this section applies,
(b) a person has possession or control of particular material or material of a particular description, and
(c) there are reasonable grounds for suspecting that the material constitutes evidence of or relating to the commission of the offence,

order that the person shall—

(i) produce the material to a member of the Garda Síochána for the member to take away, or
(ii) give such a member access to it,

either immediately or within such period as the order may specify.

(3) Where the material consists of or includes information contained in a computer, the order shall have effect as an order to produce the information, or to give access to it, in a form in which it is visible and legible and in which it can be taken away.
As with the section 48 power, this includes a power to require a person to decrypt information (though not to require a person to provide a password or key). Again, however, it wouldn't seem to apply to former bank officials. The order to produce and/or decrypt evidential material applies where a person has certain material in their "possession or control". This wouldn't seem to stretch to the situation where the material - the file - is located on bank premises and as such isn't in the possession or control of the former bank official.

Other statutory powers?

Sections 48 and 52 of the 2001 Act are not the only statutory powers to provide for passwords to be handed over or information to be decrypted. Similar powers are contained in section 16 of the Proceeds of Crime Act 1996 (as amended by the Proceeds of Crime (Amendment) Act 2005) and several other pieces of legislation. However, these powers all appear to be modelled on the 2001 Act and consequently would fall foul of the same problems if applied to a person who is not at the scene or does not have possession or control of the material in question.

Conclusion

If this analysis is correct then there would seem to be a gap in the 2001 Act powers to require decryption - while a person can be compelled to decrypt material so long as they remain in employment in a particular organisation it would seem that once they leave then they are no longer subject to these powers.

2 comments:

  1. Any half-competent organisation will change passwords and keys when staff that know them leave an organisation.

    ReplyDelete
  2. Lorcan Hurley27 October, 2014

    Very interesting TJ. I think a good adocate could, however, certainly make a strong argument that under Section 52 former employees do indeed retain 'control'. It would depend on the procedures in place at different institutions but for example Gmail can be accessed by students long after graduation (an opqaue comparison) and the college may not have access to the email contents. Email and files can reside in the cloud so a physical location-specific argument may not hold. Other companies may have different procedures. Organisations can and do leave extra security procedures at the discretion of employees who could arrange extra encryption themselves which the organisation would not have access to.

    The current civil case seems interesting but I would imagine that the Good Practice Guide will hold through. A criminal case would be perhaps more interesting and hopefully the judge will make reference to what would happen in a criminal context too.

    Lorcan

    ReplyDelete